Even managed service providers receive scam emails and phone calls.
These serve as a reminder that education on phishing, scareware, and ransomware is an ongoing process, one that even IT experts need to stay sharp on.
But let’s assume you aren’t an IT expert. How can you best determine the validity of these messages and if they have malicious intent?
As with any learning process, practice is important. You may want to start with our phishing quiz. Know where you stand with gut instinct and some important clues.
Whether the attempt is made by email or phone, there is always something just a bit off about a phishing attempt. The phisher may have some accurate personal information—like your name, or the fact that you have Yahoo! email or an AT&T phone account—and see if you’ll take the bait.
It is easy to panic at the threat of suspension or an overdue bill and put aside any unease because of the urgent matter apparently at hand. This is exactly what phishers and scammers hope will happen.
The goal of these calls or emails is to collect even more information about you, fleshing out a profile for future scams, which the phisher can sell to other scammers, or—the jackpot—to collect banking or credit card information and cash in.
Because these phishes do have some truth mixed in, many do fall victim.
It might sound like an episode of Black Mirror—in fact, the tactics used in this blackmail email are eerily similar to those dramatized in a recent episode of the Netflix series depicting fictional futures—but scammers are now using direct emails as a method to extort information or Bitcoin from unsuspecting users.
About a month ago, Mark Anderson, Principal of Anderson Technologies, received a blackmail email scam. “As you could probably have guessed, your account was hacked, because I sent message you from it,” the scammer began in broken English. They first boasted by showing an unencrypted old password—probably acquired from Yahoo’s 2013 data breach.
The email continued to outline the threat. “Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we’ve created.” This virus, they suggested, gave them access to “messages, social media accounts, and messengers.” This apparently wasn’t enough intimidation for most scam victims, because the email then amped up the threat.
Users all over the internet report similar threats; the scammer creates a scenario that, if true, would serve as ample motivation to give in to their demands. The scammer says that video of the user was recorded while visiting “adult websites,” and that, unless 700 dollars is transferred to the scammer’s Bitcoin wallet within 48 hours, this footage would be released and they would “show this video to your friends, relatives, and your intimate one…”
So, with a relatively low payout amount, and a previously accurate (but very old) password, how did Anderson know this threat was a scam? He knew what they’d accused him of was false, not to mention he didn’t have a webcam as they’d suggested. But other clues included:
- While the email appeared to be sent from Anderson’s old account, this can be accomplished through spoofing.
- The password they listed was not the current (or even recent) password for that account.
- Broken English isn’t always a giveaway but combined with the generic threat, it seemed like a form letter.
- Googling some of the email text brings up threads of other users exposing the scam. We’ve censored some of the less savory aspects of the original email, but the full text and break down can be read online.
If you receive this email or a similar threat, your first step should be to research the threat online or reach out to an IT expert. Never pay a blackmail, ransom, or other request for money. Instead, update your passwords, run anti-virus and anti-malware scans on affected devices, and consider implementing multi-factor authentication on your accounts in order to bolster your security profile.
Phishing and spear-phishing emails are an ever-present problem to businesses, and the criminals are only getting better at fooling people. Understanding and being able to spot phishing and spear-phishing emails is a vital part of employee training at Anderson Technologies. But reading about how to spot them and actually spotting emails are different things.
Worse yet, the phishing websites those email links go to often appear legitimate, right down to having the secure lock icon in the browser. In their 2018 1st Quarter Report, the Anti-Phishing Working Group notes that “more than a third of phishing attacks [reported to them] were hosted on web sites that had HTTPS and SSL certificates.” They attribute this in part to the fact that consumers believe they can trust all HTTPS sites, or they at least recognize a site without encryption asking for personal or financial information is not secure.
It’s vital to know whether your email is a legitimate business interest or a scam hoping to trap you, but how confident are you to do so? Take our quiz to see if you can tell the difference between a legitimate email and a fake one.
Hopefully you were an expert phisherman, but if not, it’s not too late to brush up on some basics.
- Know what you’ve ordered and who your vendors are. If you didn’t order anything from the person, don’t trust their emails.
- Always check the sender’s address before clicking on links or attachments, even if it looks like a company you trust.
- Read the email completely before clicking links. Poor grammar or obvious spelling/branding mistakes are key signs of phishing emails.
- If you’re unsure if an email is really from a company you trust, go to their website manually, not through a link provided in the email. If it’s real, you can look up the information through your account, and if not, you’ve just protected yourself.
- Don’t panic! Urgent calls for action to avoid loss of service or legal action are meant to upset you. Don’t let them. Read everything carefully and verify there’s a problem by using the service mentioned or calling the company using the number on their website, not in the email.
- If all else fails, Google it. These emails are widespread and a quick Google search will most likely bring up a hundred different people receiving the same fraudulent email.
If you’d like a refresher course on e-mail safety, contact Anderson Technologies to schedule an employee cyber security training seminar. Reach us by email at firstname.lastname@example.org or by phone at 314.394.3001.
Email-delivered threats have increased drastically over the last few years. Even businesses with enterprise-level email services and employee training can fall victim to creative manipulation. To battle this, Anderson Technologies offers a solution that protects email when other systems fall short.
Imagine turning on your work email to find a message from your biggest client. “If we get one more spam email from your accounts, we will stop doing business with you.”
How can this be? You pay for managed services, educate your employees on email security, and even recently upgraded your email services. How could something like this happen? Sure, your employees have received some suspicious-looking emails in the past, but there’s no way that could seep into your client interactions.
Except that’s exactly what happened to Intrante.*
According to Farica Chang, director at Anderson Technologies, the system administration team was able to trace the outgoing spam to a single “malicious phishing email that successfully executed code inside two employee Outlook applications.” The malware set up email rules that “hid its behavior from the users and began spamming everyone in their address books with email sent through their accounts.” Those emails not only went out to every internal company inbox but also to many clients and vendors.
Intrante couldn’t afford for this to happen again. Imagine this happened to you. What would you do?
Upon learning of the spam coming from Intrante’s accounts, senior systems administrator at Anderson Technologies, Luke Bragg, immediately took action. “The first thing we did was reset the passwords for the suspected accounts that were compromised,” he said, thus cutting off further access from cyber criminals. “From there we started digging into the accounts to see what other data or settings had been maliciously modified.”
Once the scope of the incident had been uncovered and repaired, Bragg and his team needed a stronger email spam filtering solution to implement to prevent a similar incident from occurring in the future.
He looked to the August 2017 study from SE Labs, which analyzed email threat protection services. This data made it clear—while many popular email services catch spam and phishing attempts, messages still slip through the cracks. Three email filtering services analyzed by SE Labs received their “AAA” rating: Mimecast, Forcepoint, and Proofpoint Essentials. While all three provided excellent coverage, only the last service achieved a 100% accuracy rating.
Proofpoint inspects both inbound and outbound emails. According to the SE Labs study, not only does Proofpoint quarantine or send threats to junk mail, it stops or rejects threats before they reach the user. If URLs are present in an email, Proofpoint’s system opens every link inside a controlled sandbox environment. “This action and analysis allows it to determine if the link is legitimate and safe before it releases the email to the recipient,” said Chang.
In addition to its stellar record, Proofpoint’s four subscription tiers also offer features that many clients of Anderson Technologies request. An Essentials Business account gives access to most of Proofpoint’s features, but the Advanced and Pro levels include email encryption (and along with that, HIPAA and PCI compliance) and social media account protection. Pro also offers a tamper-proof, off-site, unlimited (10 year) email archive.
With this distinctive solution, Anderson Technologies’ managed services team brought their answer back to Intrante.
According to Bragg, “email threats are extremely common, and probably one of the most targeted systems.” Email is the perfect delivery system for malware, spam, and phishing campaigns, all of which saw an increase in 2017, according to Symantec’s Email Threat Report. Email can be utilized by bots, entities with malicious intent, and acts (unintentional or intentional) by authorized users to spread these threats.
Even educated employees can miss the subtle tricks of an effective spammer.
Phishing emails may look and feel like they come from a well-known company, like Amazon, Apple, PayPal, or UPS. Frequently, these attacks ask the reader to “click here to log in to your account,” providing login information to a wolf in sheep’s clothing. These attacks are easy to mass generate and make money for the perpetrators even if only 1 in 100 falls for the trap.
According to Symantec’s Email Threat Report, “one out of every nine email users encountered email malware in the first half of 2017!” These emails typically offer an attachment disguised as an invoice or other important document. These may appear to be sent from other employees and may even be routed through their real email addresses.
Malware-spreading emails typically urge the reader to act NOW, inhibiting the thought process through urgency.
Another vulnerability tied to email is information hacking.
Even comparably low-value targets can provide lucrative information to hackers—information like other user names, passwords, client information, industry secrets, or proprietary data. Email is as insecure as a postcard. As long as it is only read by the intended recipient, your message is moderately safe. Even so, never send passwords, financial credentials, Social Security numbers, etc., in a plain-text email. Once in the wrong hands, unencrypted email is easy to read.
Don’t be fooled. “Even with additional layers of filtering and security,” says Chang, “there will always be malicious emails that get through. Teaching employees to be wary and practice caution is the best defense.” Take advantage of education services like free seminars, or Anderson Technologies’ free ebook on cyber security.
Email may be the perfect vehicle for bad actors to find their way into your network, but you and your business don’t have to be a victim. With spam monitoring and encryption services like those offered by Proofpoint, a mistake or foolhardy action doesn’t have to mean the destruction of your business.
Anderson Technologies strives to ensure the IT products and tools it recommends are fully vetted and employed internally first. Principal Mark Anderson reports that after implementing Proofpoint Essentials, his junk email count has dropped by over 90%! According to Symantec’s Email Threat Report, an estimated $1,177.42 annual cost for the time one employee spends managing spam.
Bragg recommends a layered approach to email security. The first layer being perimeter protection with a good hardware firewall that has additional malware and intrusion defense capabilities. From there, Bragg notes the importance of enterprise-grade anti-virus software on all workstations and servers. It is important that this software be closely monitored and updated to truly be effective. The final layer is spam filtering, and for that, Anderson Technologies recommends Proofpoint.
Of course, there is also user training, which is “challenging,” according to Bragg, “but necessary.” Even for businesses that are confident in their employees’ cyber security training regarding email, Proofpoint brings operations closer to a Zero Trust mindset, truly making your operations secure.
*Names have been changed to protect the identity of the business and its executives.